Errant clicks on phishing email led to breach, hospital exec says

Even healthcare organizations that make a conscientious effort to comply with HIPAA and continually improving their data security posture can find themselves victimized by cyber attacks.

That lesson was learned the hard way by Wyoming Medical Center, which recently reported a breach that occurred in late February. The Casper-based organization said identities of nearly 3,200 patients were briefly vulnerable after an email phishing attack that tricked two employees into divulging network credentials.

The organization had companywide training last year, including sessions on how to avoid phishing attacks, says Matt Fredericksen, chief compliance and privacy officer.

Wyoming Medical Center

In addition, Wyoming Medical regularly conducts email educational blasts on phishing and launched mock phishing attacks on employees four times between last August and February. Those who failed the mock phishing attacks by clicking on specious links immediately were taken to a training page for re-education. Those efforts were working, and the failure rate during mock phishing attacks was falling, Fredricksen says.

But it only takes one employee, or two in Wyoming Medical’s case, to fail to spot a phishing attack before an organization finds itself on the government’s Wall of Shame list of major breaches.

In addition to those efforts, Wyoming Medical has used two-factor authentication for accessing its electronic health record system since it was implemented. It also conducts privacy and security risk assessments annually, with the last completed in November 2015. Now it’s exploring implementing an auto-delete feature in email after a specified time period with an enterprise backup but having messages roll off individual email accounts.

Last week, Wyoming Medical started rolling out two-factor authentication software for email, and it will require employees to turn it on in May. Those who are not using two-factor authentication by June will be locked out of their email accounts until they set it up, Fredricksen says.

Like other organizations that have been breached, Wyoming Medical had to determine if credit or identity theft protection needed to be offered to affected patients. HIPAA does not require such consumer protection, although it has become more common as the threat environment got worse. If breached organizations don’t offer identity protection services to consumers, they must justify the reasons for the decision.

In Wyoming Medical’s case, the organization did not offer protective services, explaining in the notification letter that it believed information was accessible for only 15 minutes and there was no evidence that it was viewed or acquired. Further, the data that could have been accessed “did not include the proper information to allow for identity theft,” according to the organization. But for peace of mind, it encouraged affected individuals to place fraud alerts on their credit files.

Even if attackers had actually viewed or copied Wyoming Medical data, it was relatively benign, a combination of billing invoices from vendors with an account number, patient name and date of birth, date of service, medical record number and limited medical information, Frederiksen says. Prior to the breach, the organization had contracted for protective monitoring services should the need arise and considered offering protection, but it never got to the point of looking at costs because the decision was made that the breached data did not warrant such services, he added.